HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35308Published Modified CNA oracle

CVE-2026-35308: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars)

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical remote code execution class vulnerability affects Oracle Coherence, a component of Oracle Fusion Middleware (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0). It is reachable over the network via HTTP with no authentication required and no user interaction needed, and the CVSS scope is changed, meaning a successful attacker can break out of the vulnerable component and affect other systems. Exploitation results in full takeover of Oracle Coherence, with high impact to confidentiality, integrity, and availability. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer container images, including custom-built images in private registries and CI/CD pipelines. Any image containing an affected Oracle Coherence version (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0) is flagged automatically.

Available
Triage

HarborGuard triage capability applies the CVSS 3.1 base score of 10.0 (Critical) and weighs findings against each customer environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

No fix version has been published by Oracle at this time. HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a fix. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Coherence service over the network via HTTP; no local or physical access is needed.

  • AuthenticationNot required

    No credentials or session token of any kind are required; the vulnerability is exposed to unauthenticated attackers.

  • Victim interactionNot required

    The attack is fully automated and requires no action from any user or administrator on the target system.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and repeatable with no race conditions or special environmental factors to satisfy.

Blast Radius

  • A successful attacker reads all data accessible to the Oracle Coherence process, including cached application data, session tokens, and any secrets held in memory.
  • The attacker can write or modify persisted data within Oracle Coherence, corrupting cache state or injecting malicious entries consumed by downstream services.
  • The Coherence service can be crashed or rendered permanently unavailable, disrupting any application layer that depends on it for distributed caching or data management.
  • Because the CVSS scope is changed, the attacker can pivot to compromise other products and services running in the same environment beyond Oracle Coherence itself.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet, every customer environment running a scanned image that includes Oracle Coherence 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0 will surface this CVE as a Critical-severity finding immediately upon the next scan cycle. HarborGuard monitors the Oracle advisory on every ingest pass and will trigger a patched-image rebuild automatically the moment Oracle publishes a fix version; for customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls available through HarborGuard policy include network-policy isolation to restrict inbound HTTP access to Coherence endpoints, egress filtering to limit lateral movement in the event of compromise, and runtime alerting on unexpected process or network behavior within containers running the affected component. Where compliance policy permits, customers can also gate affected workloads behind a feature flag or route them through a deny-by-default network segment until Oracle ships the patch.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Coherence
    12.2.1.4.0 · 14.1.1.0.0 · 14.1.2.0.0 · 15.1.1.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References